26b7c35d8c
Operations in the DSA signing algorithm should run in constant time in order to avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that a non-constant time codepath is followed for certain operations. This has been demonstrated through a cache-timing attack to be sufficient for an attacker to recover the private DSA key. CVE-2016-2178 (Imported from upstream's 621eaf49a289bfac26d4cbcdb7396e796784c534 and b7d0f2834e139a20560d64c73e2565e93715ce2b.) We should eventually not depend on BN_FLG_CONSTTIME since it's a mess (seeing as the original fix was wrong until we reported b7d0f2834e to them), but, for now, go with the simplest fix. Change-Id: I9ea15c1d1cc3a7e21ef5b591e1879ec97a179718 Reviewed-on: https://boringssl-review.googlesource.com/8172 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> |
||
|---|---|---|
| .. | ||
| CMakeLists.txt | ||
| dsa_asn1.c | ||
| dsa_test.c | ||
| dsa.c | ||